2024-05-03 20:22:24 +02:00
|
|
|
From a82ea8fb0338f2bd46cf627c4b763094448e6bd7 Mon Sep 17 00:00:00 2001
|
|
|
|
From: cdcadman <mythirty@gmail.com>
|
|
|
|
Date: Wed, 17 May 2023 03:57:08 -0700
|
|
|
|
Subject: [PATCH] Address CVE-2023-26112 ReDoS
|
|
|
|
|
|
|
|
---
|
|
|
|
src/configobj/validate.py | 2 +-
|
|
|
|
src/tests/test_validate_errors.py | 10 +++++++++-
|
|
|
|
2 files changed, 10 insertions(+), 2 deletions(-)
|
|
|
|
|
2024-10-11 10:06:59 +02:00
|
|
|
diff --git a/src/configobj/validate.py b/src/configobj/validate.py
|
2024-05-03 20:22:24 +02:00
|
|
|
index 9267a3f..98d879f 100644
|
|
|
|
--- a/src/configobj/validate.py
|
|
|
|
+++ b/src/configobj/validate.py
|
|
|
|
@@ -541,7 +541,7 @@ class Validator(object):
|
|
|
|
"""
|
|
|
|
|
|
|
|
# this regex does the initial parsing of the checks
|
|
|
|
- _func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL)
|
|
|
|
+ _func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL)
|
|
|
|
|
|
|
|
# this regex takes apart keyword arguments
|
|
|
|
_key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$', re.DOTALL)
|
2024-10-11 10:06:59 +02:00
|
|
|
diff --git a/src/tests/test_validate_errors.py b/src/tests/test_validate_errors.py
|
|
|
|
index 399daa8..f7d6c27 100644
|
|
|
|
--- a/src/tests/test_validate_errors.py
|
|
|
|
+++ b/src/tests/test_validate_errors.py
|
|
|
|
@@ -3,7 +3,7 @@
|
|
|
|
import pytest
|
|
|
|
|
|
|
|
from configobj import ConfigObj, get_extra_values, ParseError, NestingError
|
|
|
|
-from configobj.validate import Validator
|
|
|
|
+from configobj.validate import Validator, VdtUnknownCheckError
|
|
|
|
|
|
|
|
@pytest.fixture()
|
|
|
|
def thisdir():
|
|
|
|
@@ -77,3 +77,11 @@ def test_no_parent(tmpdir, specpath):
|
|
|
|
ini.write('[[haha]]')
|
|
|
|
with pytest.raises(NestingError):
|
|
|
|
conf = ConfigObj(str(ini), configspec=specpath, file_error=True)
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+def test_re_dos(val):
|
|
|
|
+ value = "aaa"
|
|
|
|
+ i = 165100
|
|
|
|
+ attack = '\x00'*i + ')' + '('*i
|
|
|
|
+ with pytest.raises(VdtUnknownCheckError):
|
|
|
|
+ val.check(attack, value)
|